For some reason I had to also include the domain name into the username, making the alias attribute look like DOMAIN\netbiosnameĪlternatively, we can also import their configured phones (and send SMS invites to allow the users to download the Duo App configure the application). This way Duo will be able to match the Netbios name of users to their Duo profile as well. And given your users will use their on-premises samAccountName we will also need to import that attribute as well, which we can configure in the import. Also, on the same page, make sure to select a Group in which all your users are to be synchronized, else your import will result in 0 users. Make sure to make the connection (login with a Global AAD Admin when asked) and allow the service to read your attributes and such. I chose the last one as it doesn’t require any agents. We can either manually add users, synchronize with AD or synchronize with Azure AD.
After getting your trial we need to onboard users. This means we need to spin-up a Duo instance ( trial available). We need to use Duo as we want to be able to use the RDP agent they have released to secure the connection itself. Note that this post is in no way supported by Microsoft (AFAIK) and I haven’t heard anything yet from Duo Security, so I guess that’s a no-no as well. Given WVD is based on RDP, I thought lets give this a try. This means that as soon as I want to open an RDP connection, I’m challenged for MFA. Now, I’ve dealt with Duo Security a few years ago when I integrated it with Microsoft TMG, but I noticed they now also (probably for some time now) have a local and RDP login verification method as well.
You see, there are many reasons why you would or would not want to request additional verification from a user when actually accessing data or applications. Which got me thinking: what if I want to request an MFA every time I launch a desktop? What if I want an MFA on the Remote Desktop application when opening a desktop in order to avoid users switching username when they left their application open? With the Azure AD MFA WVD access, you only need to MFA once in order to access any desktop published through WVD. MFA for WVD, doesn’t that already exist through Azure AD conditional access? Yes, it does, but its limited to certain scenario’s.
0 kommentar(er)
